2021 has been replete with large-scale ransomware attacks. First there was the attack on the Colonial Gas Pipeline, then another attack against the nation’s meat producers. Ransomware is quickly spiraling out of control and putting on full display how unprepared many critical sectors of the economy are for both basic and advanced cybersecurity threats. Unfortunately, without large-scale change 2021 may prove to be a harbinger of crisis to come rather than an aberration.
Without large-scale, sustained, and targeted investments in information security, we risk entering an age of disruption. An era where critical infrastructure becomes inherently unreliable. The emergency room is closed due to a ransomware attack, gas is unavailable due to a blocked pipeline, and food prices become ever more volatile as ransomware brings farming to a halt.
Cyber threat actors have been growing more dangerous year over year for the past decade while information security investment has lagged. Despite the proliferation of data privacy and cybersecurity regulations in recent years (NYDFS, CMMC, GDPR, CCPA), companies are failing to make adequate investments to protect their sensitive information.
These changes are all occurring against a backdrop in which increasingly large portions of our industrial economy are digital. A 2019 report indicated that 59% of all U.S. exports are digitally enabled services. And even purely physical services can be brought low by ransomware attacks. Colonial Pipeline wasn’t only devastating due to its profound impacts on oil and gas companies. It affected millions of real-world businesses including shops, grocery stores, trucking, and the broader supply chain of the east coast.
The Problem with a Compliance Only Approach
Cybersecurity compliance is critical in today’s ever-changing world. There are dozens of regulations, some broad and some industry specific. Non-compliance can cost millions, and even tens of millions. However, many organizations unfortunately choose to take a compliance first and compliance only approach to cybersecurity. Rather than investing in software and processes that have measurable reductions in risk, they spend their time writing hundreds of pages of documentation and process, that few if any will ever read or put into practice.
We strongly recommend all companies spend the time and investment necessary to achieve cybersecurity compliance. However, companies need to go further in today’s world. We recommend basing your cybersecurity program on two foundational pillars:
Frameworks not Requirements
So many organizations read the HIPAA Security Rule as a guide, and not as a set of highly specific requirements. Building a program off of HIPAA is an excellent start, but does not go nearly far enough. Frameworks such as the NIST Cybersecurity Framework provide a far more comprehensive and robust roadmap for building a cybersecurity program that doesn’t leave the same gaps that narrowly focusing on requirements does. At the same time, complying with NIST CSF can also leave you in a far better position to address numerous cybersecurity requirements including HIPAA, PCI DSS, NYDFS, and others.
Adaptive not Static:
The world is not static and neither should your cybersecurity program be. Adaptive cybersecurity involves a program that scales up and down based on your real-world, risk-based needs. Overbuilding for cybersecurity can result in millions of overrun costs without any additional security to show for it. Underinvesting can leave you vulnerable to costly break-ins and compliance risks. An adaptive program uses what you have, scales based on need, and most importantly provides optimal protection based on your risk profile.
To combat this rapid increase in attacks, organizations need to do two things; plan for a future with increasing cyber disruption, and adopt an adaptive cybersecurity approach to deal with the increasingly sophisticated threat landscape.
Recent history indicates that cyberattacks are likely to continue to grow in both complexity and efficacy over time. Organizations, franchises, universities, and local governments need to begin planning accordingly. While basic cybersecurity practices such as end-user training and simulated phishing exercises are indispensable, organizations need to begin preparing to build a much more robust, scalable, and effective cybersecurity program.
We can simultaneously expect the national attack surface to continue to rapidly expand. This year internet connected devices are expected to reach 46 billion. That represents billions of potential access points for hackers and threat actors, that can then be leveraged to build botnets, compromise secure systems, and even cripple entire industries.
Adaptive Cybersecurity can bridge the gap and allows organizations to digitally engage the outside world with far less risk of a devastating breach. Adaptive cybersecurity involves cybersecurity that automatically scales to your organizations needs and existing infrastructure.
Let’s start with the basics. Few companies today make adequate investments into information security. This occurs for a few reasons, first building a full-scale in-house cybersecurity program can be exorbitantly expensive. Secondly many companies lack the expertise to begin building a program.
This is where adaptive cybersecurity shines. An adaptive cyber can scale up or down automatically based on real-time risk data, and incorporates IT and Security equipment and processes that already exist. For example, if you have a small organization and don’t have the budget for a full-scale IDS/IPS system, but ransomware attacks begin targeting companies in your industry, adaptive cybersecurity enables you to automatically scale into a full IDS/IPS system while risk is high-enough to make it worthwhile.
In a world of increasingly tight budgets, but increasing information security disruptions, adaptive cybersecurity represents a way forward. Make use of your existing security infrastructure, protect assets that matter, and scale your security posture up or down in near-real time against threats as they are occurring.
Make Use of What you Have
Chances are your organization has already invested in some type of cybersecurity. Whether that consists of investment in anti-virus, or top of the line cybersecurity training, most organizations in 2021 have spent some money on improving their information security program. Adaptive cybersecurity adapts not only to the circumstances that you face, but also to what you already have. An adaptive program enables you to leverage IT and security assets that you’ve already put money into, further lowering costs and improving the efficacy of your program.
The most effective cybersecurity programs are not those that invest the most. They are the ones that effectively leverage your most important assets (people), combine that with world-class technology, and focus on measurable risk reduction rather than thousands of pages of security policies that nobody plans to read.
We are entering an age of disruption. Large-Scale cyber events threaten to cripple critical infrastructure, Fortune 500 companies, and mom & pop businesses. The only way forward is with a cybersecurity program that is based on accurate estimates of real-world risk to enable companies to cost-efficiently protect their valuable IT assets.